Treason uncloaked
Steve Buehler
steve at ibapp.com
Wed Feb 23 21:26:17 UTC 2005
I have a web server that goes down every once in a while. I have to
manually restart. It is running RHL 7.3 with 2.4.20-28.7 for the kernel
with Apache/1.3.27. When I run dmesg, I get the following messages:
TCP: Treason uncloaked! Peer 213.181.83.194:3736/80 shrinks window
4255495905:4255495906. Repaired.
TCP: Treason uncloaked! Peer 213.181.83.194:3736/80 shrinks window
4255495905:4255495906. Repaired.
TCP: Treason uncloaked! Peer 217.26.84.76:17932/80 shrinks window
3332120819:3332120820. Repaired.
TCP: Treason uncloaked! Peer 217.26.84.76:17932/80 shrinks window
3332120819:3332120820. Repaired.
There were more. Mainly from these two addresses, but there were
others. Also some of them were for port 443 (yes, I know...https) instead
of 80.
in the httpd logs I find that the 217 IP listed above is using Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1)
The 213 IP shows Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
So I don't really think it is a specific browser problem like some of the
info I found on the web said.
The /var/log/httpd/ssl_engine_log only shows one entry for:
/Feb/2004 07:25:59 11018] [error] SSL handshake timed out (client
217.26.84.76, server www.mysite.org:443)
I have been googling around on the web and find a lot of info about it, but
nothing that I understand unless we are getting a DOS attack against
us. The closest thing that sounded like something that I could half way
understand was:
"when a client attempts to resize the packet window after the connection
has been established. It's either a buggy client (buggy web browser or
something) or someone is trying to do a silly DOS attack by having the
linux kernel consume all it's TCP buffer and so new connections will lag. "
I don't quite understand the resizing of the packet window. But do
understand a DOS attack. Anyway, by the looks of it everybody who had this
problem (that I found googling) was running an older operating system like
RHL 7.3. Only one instance did I find that someone was getting these
messages on a newer OS than 7.3. That was on RHL 8. So, would it be
logical to assume that if I upgrade the OS to, lets say RHEL 4, that I
probably wouldn't get these messages anymore? Was it a bug or security
whole that was fixed? Is it in Apache? Or would it be something else?
Thanks
Steve
More information about the redhat-list
mailing list